Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DHCP server : Deny unknown clients - bypass

    Scheduled Pinned Locked Moved DHCP and DNS
    5 Posts 3 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • ?
      A Former User
      last edited by

      I have a few simple Pfsense 2.2.4 setups with
      single WAN,
      "INTERNAL LAN" and
      "GUEST LAN".
      Pfsense is the DHCP server for both the "INTERNAL LAN"  and the"GUEST LAN" with "Deny unknown clients" active on both LAN's.

      So setup:
      "INTERNAL LAN" : DHCP Static Mappings defined for all trusted "own" machines, Deny unknown clients selected - small DHCP range defined but should not be used.

      "GUEST LAN"        : DHCP Static Mappings defined for trusted "long term guest " machines,
      Deny unknown clients selected  - small DHCP range defined but should not be used..

      Now, what I was not expecting is, that a machine defined  on the "GUEST LAN" as static mapping CAN still connect to  the "INTERNAL LAN",  even gettting an IP address from the DHCP server on the "INTERNAL LAN" with no mapping defined there for than "INTERNAL LAN."

      It does not seems like a desired outcome to me. 
      Besides protecting with an MDM layer, are there other solutions.

      thanks,

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        Defined clients for static mappings anywhere make them a known client.  If they move to a segment that has a dhcp scope even without a reservation then the would be able to get an IP from this scope.  If you don't want clients moving segments then you shouldn't have dhcp scopes available.  What is the point of these scopes if your setting reservations and setting deny unknown clients?

        Remove your scopes and this behavior goes away.  Even if a known client moves to a different segment there would be no addresses to give them.

        Since you created these scopes seems like its acting exactly how you would want it to act.  Known clients can move between segments and leverage the dhcp scope there because they are "known" to pfsense.  But if I brought my client over it wouldn't get an IP because its not known client in any of your scopes.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • ?
          A Former User
          last edited by

          Thanks,

          It might be a language issue (mine) but the way  settings as interpreted do not feel "intuitive" to me.

          Funny thing is,
          when I tried to remove the only DCHP scope on the INTERNAL LAN interface,  pfsense does not let me.

          The "start" and "end" ip addresses are a requirement if you have DHCP on the interface.

          1 Reply Last reply Reply Quote 0
          • H
            hda
            last edited by

            You could issue the static addresses outside the DHCP-range.
            You could use [Services: DHCP server] (Enable Static ARP entries).

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              static or reservations should always be outside the scope.  I will have to look if there is a requirement for scope if dhcp is on for static reservations.

              edit:  I see your point if I have dhcp enabled because I want use statics. And deny unknown you have to have a scope - even if only 1 ip.  This would make it possible for a known client from different interface to move over to that segment and get that IP.

              for this sort of setup there should be a way to not have a scope defined I guess.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.